ALTQ on outbound data when connection started inbound

I have a PF firewall, and on the network is a Windows machine that I connect to remotely with Remote Desktop.

I want to prioritize the RDP traffic so that it is not laggy when other people are using the link during the day.

The problem is, when I setup a rule to give the traffic high priority, it is not being matched because the connection is initiated from the outside. It appears that once the connection is in the state table, PF does not send it down the rule list, so the outgoing data (which is what I am trying to prioritize) is never checked.

I don't have any rules near the top which involve keeping state.

I initially tried tagging the packets with the rdr rule that handles the RDP connection, and I just now tried using a TCP proxy on the firewall instead of NAT, but again, the packets aren't matching because the connection is already in the state table.

Ideas on how I can do this?

My firewall setup as a whole is working effectively. I have MSN prioritized, but those connections start from within the network and then go out to the internet, so the tagging at the 'nat' line in the pf conf works. The problem with the RDP thing is that the connections originate from outside and come in.
 
Do you want to prioritise incoming or outgoing RDP traffic? Outgoing traffic ('reply traffic' to the incoming connection in your case) can be fed to ALTQ using queue statements on the 'pass in' rule. This will not affect incoming RDP traffic, just outgoing traffic.

As a general rule, one should put queue statements in every pass rule when using ALTQ on one interface. This will catch locally originated outbound traffic, and replies to externally originated inbound traffic.

If you want to prioritise both incoming and outgoing traffic, you'll have to create ALTQ instances on two interfaces. The WAN side shapes outgoing traffic (LAN -> WAN), the LAN side shapes incoming traffic (WAN -> LAN). Assuming the firewall separates LAN and WAN.
 
I added a rule that puts "in from internet to $ext_if port 3389" into the ext_if outbound queue, and it seems to work. Is this correct? (Remember that there is a tcp proxy on the firewall handling the connection to the inside machine).

Thanks.
 
That should work, yes.

ALTQ queues will be associated with the relevant parts of a traffic stream (in this case: outbound traffic), so a queue statement on an inbound rule will match outbound traffic caused/allowed by the state of that rule (like e.g. tcp-acks and return traffic).

I don't think the tcp proxy matters, because it doesn't interfere with the stateful connection itself. Whether the tcp proxy handles the connection, or some machine in the LAN, doesn't make a difference. The traffic has already been seen by PF, where the state is handled and where the traffic shaping takes place. Everything past that (let's say 'behind the interface') is irrelevant.
 
Back
Top